Tag Archives: linux

Secure Zammad with LetsEncrypt Certıfıcate on Ubuntu 20.4 Apache

January 26, 2021 Mohammed Hamada Leave a comment

The Story

after installing Zammad ticketing system I tried to implement Let’sEncrypt certificate to secure the system but there was nothing available on the internet except an old article about implementing this on Ubuntu 16 with Nginx (see article here).

In my case I was using apache and no Nginx in place, and after installing Zammad it was using pretty fine on Http but needed to redirect http to HTTPS after implementing the certificate.

Solution:

I first Installed Certbot for apache and then I took a backup of all my Zammad configuration and made sure not to alter the default Zammad directory.

So I created a dummy folder called /var/www/support and a file called /var/www/support/index.html within that folder and provided them the appropriate permissions.

sudo apt install certbot python3-certbot-apache

sudo mkdir /var/www/support

sudo chown -R $USER:$USER /var/www/support

sudo chmod -R 755 /var/www/support

sudo nano /var/www/support/index.html

Edit the index.html file with the following to make sure that it works

<html>
             <head>
                         <title>Welcome to Your_domain!</title>
             </head>
             <body>
                       <h1>Success! The your_domain virtual host is working!</h1>
           </body>
</html>

Edit Zammad’s Default Config File

Please make sure you take a move the original copy of Zammad file to another location using the following command

sudo mv /etc/apache2/sites-enabled/zammad.conf /etc/apache2/sites-enabled/zammad.bak

Then we’ll replace the file with this configuration but since we moved the original file to .bak then we’ll have to recreate it with our intended configuration.

Edit a new zammad.conf file and copy the configuration below

sudo vi /etc/apache2/sites-enabled/zammad.conf

Configuration starts below this:

# this is the apache config for zammad

# security – prevent information disclosure about server version

#ServerTokens Prod

<VirtualHost *:8080> # I changed the default port of Zammad to 8080 to allow Letsencrypt to connect on 80 and create the certificate

# replace ‘localhost’ with your fqdn if you want to use zammad from remote

ServerName localhost:8080

## don’t loose time with IP address lookups

HostnameLookups Off

## needed for named virtual hosts

UseCanonicalName Off

## configures the footer on server-generated documents

ServerSignature Off

ProxyRequests Off

ProxyPreserveHost On

<Proxy 127.0.0.1:3000>

Require local

</Proxy>

ProxyPass /assets !

ProxyPass /favicon.ico !

ProxyPass /apple-touch-icon.png !

ProxyPass /robots.txt !

ProxyPass /ws ws://127.0.0.1:6042/

ProxyPass / http://127.0.0.1:3000/

— INSERT — 10,38 Top

DocumentRoot “/opt/zammad/public”

<Directory />

Options FollowSymLinks

AllowOverride None

</Directory>

<Directory “/opt/zammad/public”>

Options FollowSymLinks

Require all granted

</Directory>

</VirtualHost>

<VirtualHost *:80>

ServerName support.cloud-net.tech

DocumentRoot /var/www/support

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

– ————————-

In the above configuration we did two things:

1- Replacing the original Zammad listening port instead of 80 to 8080

2- Created a new virtual host that points to our dummy folder /var/www/support

Save the file and exit from vi

Make sure you restart Apache after this

sudo systemctl restart apache2

Enable the new site configuration

sudo a2ensite zammad.conf

Lets create the certificate

In the below commands , the first one will drive you through the process of getting the certificate.

The second checks the status of the configuration of the auto renewal script certbot and third command tests the renewal of the certificate.

1- sudo certbot –apache

2- sudo systemctl status certbot.timer

3- sudo certbot renew –dry-run

As you can see in the below screenshot the command also asks you if you’d like to redirect all http traffic to HTTPS. You should want to say Y to that.

When you accept creating Redirection rule from HTTP to HTTPs the main Zammad config will get that configuration which wont work in that case because we already changed the default zammad port to 8080.

So you’ll need to get into that zammad.conf that you created again and enter the redirection portion

# this is the apache config for zammad
#

# security – prevent information disclosure about server version
#ServerTokens Prod

<VirtualHost *:8080>
# replace ‘localhost’ with your fqdn if you want to use zammad from remote
ServerName support.cloud-net.tech:8080

## don’t loose time with IP address lookups
HostnameLookups Off

## needed for named virtual hosts
UseCanonicalName Off

## configures the footer on server-generated documents
ServerSignature Off

ProxyRequests Off
ProxyPreserveHost On

    <Proxy 127.0.0.1:3000>
         Require local
     </Proxy>

    ProxyPass /assets !
     ProxyPass /favicon.ico !
     ProxyPass /apple-touch-icon.png !
     ProxyPass /robots.txt !
     ProxyPass /ws ws://127.0.0.1:6042/
     ProxyPass / http://127.0.0.1:3000/

# change this line in an SSO setup
RequestHeader unset X-Forwarded-User

DocumentRoot “/opt/zammad/public”

    <Directory />
         Options FollowSymLinks
         AllowOverride None
     </Directory>

    <Directory “/opt/zammad/public”>
         Options FollowSymLinks
         Require all granted
     </Directory>

RewriteEngine on
RewriteCond %{SERVER_NAME} =support.cloud-net.tech
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<VirtualHost *:80>
ServerName support.cloud-net.tech
RewriteEngine on
RewriteCond %{SERVER_NAME} =support.cloud-net.tech
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Note:

You need to make sure that you have enabled port 443 on your Firewall and changed the main protocol of Zammad to HTTPs

To do so you’ll need to get into the Zammad portal > Settings > System > Http Type and change that to HTTPS.

That’s it, my example here worked as expected and now my traffic is automatically getting redirected to https.

Hope this helps anyone looking for such configuration.

Please consider donating to this Bitcoin account if you like this article or website.

ATP, Azure, Linux, Office 365, Security

Onboarding Linux Client (DEEPIN) to Microsoft Azure Threat protection ATP using ubuntu repository

May 18, 2020 Mohammed Hamada Leave a comment

Installing Microsoft Azure Threat Protection (ATP) on Linux Devices

While playing with ATP on some windows devices, I was in the mood of trying the new Deepin 20 desktop flavor which is a famous Chinese Linux OS based system.

Microsoft doesn’t indicate anywhere that installation of ATP on a Linux client is possible but Linux server is mentioned in the official ATP installation documents.

How to Install?

After I installed the Deepin OS, I was really impressed by the new beautiful Linux design so I plan to use it and have it secure with ATP.

Prerequisites:

Configure the Linux software repository for Ubuntu and Debian
Application Installation
Download the onboarding Package
Client Config

1-Configure the Linux software repository for Ubuntu and Debian

You will need to install the required libraries, install Gpg, apt-transport-https and update repository metadata using the following commands one by one.

sudo apt-get install curl

sudo apt-get install libplist-utils

curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list

sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-ubuntu.list
sudo apt-get install gpg

curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add –
sudo apt-get install apt-transport-https
sudo apt-get update

After successfully installing all the libraries, I will go ahead and install the application

2- Application Installation

From the Linux client Terminal using sudo power user run the following script

sudo apt-get install mdatp

Once finished, You can go back to the ATP portal and download the Linux Onboarding package on the linux server/client you want to onboard

3- Download the onboarding Package

Since I am doing a single deployment not bulk, then I will go to the Microsoft Defender Security Center’s setting page and download the Linux package from the device management section.

The steps for the onboarding is already mentioned on that page so after you download the script you’ll know exactly what to do next.

The file is 9kb python in size

Copy the file to your Linux Desktop

4- Client Config

From the terminal type in chmod a+x MicrosoftDefenderATPOnBoardingLinuxServer.py and hit enter

Note: python must be installed on this linux dervice.

Then type python /MicrosoftDefenderATPOnBoardingLinuxServer.py

This will run pretty quick and will assign your Linux server/client with your Organization ID.

To see the Organization ID type:

mdatp –health orgId

Few minutes later you’ll be able to see the installation completion and the status through this command

Check if WDATP is functioning as expected

mdatp –health healthy

Check if WDATP agent is enabled

mdatp –health realTimeProtectionEnabled

Let’s check on our ATP portal and see if the machine is showing there.

Note: It might take 5-15 mins to update the definitions of WDATP when onboarding.

Running a detection Test:

curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt

In few seconds the file has disappeared

Checking for threats

mdatp –threat –list –pretty

Let’s see this on the ATP Portal

This is just a test malware not a real one therefore it wont harm your machine at all.

Hope this helps you with your deployments

Ref:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually

Deepin 20 Beta version

https://www.deepin.org/en/2020/04/15/deepin-20-beta/

Azure, Microsoft, Virtual Machine Manager

Deploy Azure Linux and Windows servers in 10 mins via cli

January 16, 2020 Mohammed Hamada Leave a comment

This is a step by step guide about deploying Linux or Windows servers on Azure via CLI.

Why Cli?

Some people prefer using Linux rather than PowerShell and it seems sometimes easier and faster to learn esp if you’re not GUI type of person.

Installation Options

If you’re working on Windows and would like to use CLI, you’ll have two options to install CLI

Option 1

Run Azure CLI installation directly from your Powershell (PowerShell needs to run from a privileged account)

Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList ‘/I AzureCLI.msi /quiet’

As soon as you run this command, it’ll take about 5 mins or less depending on the connection you have.

Option 2

Download the MSI file directly from MS’s link and install it on your Computer.

https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-windows?view=azure-cli-latest

Connect to Azure CLI from PowerShell

Run PowerShell or CMD and type the following command to connect

Az Login then hit enter

As soon as you type this, a web page will be launched asking you for your Azure Account credentials so open the session for your Cli window.

The moment you verified your account, PowerShell will list your azure plans that you have / had before.

If you’re going to use Linux (Ubuntu, Debian) flavor then you’d have to following the following instructions

Manual install instructions

If you don’t want to run a script as superuser or the all-in-one script fails, follow these steps to install the Azure CLI.

Get packages needed for the install process:

bash


sudo apt-get update

sudo apt-get install ca-certificates curl apt-transport-https lsb-release gnupg

Download and install the Microsoft signing key:

bash


curl -sL https://packages.microsoft.com/keys/microsoft.asc | 

    gpg --dearmor | 

    sudo tee /etc/apt/trusted.gpg.d/microsoft.asc.gpg &gt; /dev/null

Add the Azure CLI software repository:

bash


AZ_REPO=$(lsb_release -cs)

echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" | 

    sudo tee /etc/apt/sources.list.d/azure-cli.list

Update repository information and install the

azure-cli

package:

bash
```
sudo apt-get update

sudo apt-get install azure-cli
```

Run the Azure CLI with the

command. To sign in, use the az login command.

Run the

login

command.

Azure CLI

Try It
```
az login
```
If the CLI can open your default browser, it will do so and load an Azure sign-in page.

Otherwise, open a browser page at https://aka.ms/devicelogin and enter the authorization code displayed in your terminal.
Sign in with your account credentials in the browser.

To learn more about different authentication methods, see Sign in with Azure CLI.

Deploying Linux (CentOS):

Creating a Resource Group for Azure Container Instances (ACI)

We will start first by creating a Resource Group for our Machine, calling it a AzureLinuxServersGroup to easily identify that this group contains our Linux Servers

az group create –name AzureLinuxServersGroup –location westeurope

Next we will be creating a container to contain the Linux OS on the resource group which we have just created

First, How we know which Image to use and if that will be proper for our deployment?

To answer that, we will use the following command which will view the available latest edition Linux OS with different flavors.

I would like to use CentOS since its identical to RedHat and used by majority of Enterprises.

To list the Images, Enter the following command

az vm image list –output table

Notice there are many columns, The one which we are going to use in terminal command line is the UrnAlias. It’s important to remember this.

az vm create \

–resource-group AzureLinuxServersGroup \

–name AzureCentOSWP \

–image CentOS \

–admin-username Moh10lyUser \

–generate-ssh-keys

Since we are using Bash, It’s a case sensitive and it complained about user having capital letters. So we’ll go ahead and use small letters

After running the command with small letters, it’s telling us where we can find the keys in order for us to reach and get them to use later to login to this newly created machine.

SSH key files ‘/home/moh10ly/.ssh/id_rsa’ and ‘/home/moh10ly/.ssh/id_rsa.pub’ have been generated under ~/.ssh to allow SSH access to the VM. If using machines without permanent storage, back up your keys to a safe location.

The deployment of the machine takes about 3 mins, and it’ll be created with the default minimum resources. Let’s view

Our machine is ready to be accessed now

In order for you to get the SSH Keys, you’ll have to have a bit of knowledge

I am going to go the location mentioned previously after creating a machine and copy the keys from the bash screen into a file. Save the file and Import it into SSH client which I will be using (Bitvise in my case).

From the bash screen goto cd /

Cd /home/user/.ssh/

Cat id_rsa hit enter and copy the key and save it into notepad.

Cat id_rsa.pub and copy/save into a notepad as the public key.

After loading both keys, I was able to successfully login to the Server

Get a list of Azure VMS

az vm image list

Let’s List and deploy a WordPress on CentOS

To view the list of available CentOS images, we’ll use the following cli command

az vm image list -f CentOS –all

The image needs to be grabbed from dockerhub URL

cognosys:wordpress-with-centos-77-free:wordpress-with-centos-77-free:1.2019.1008

az container create –resource-group mohazbackupgroup –name mohcontainer –os-type Linux –image cognosys:wordpress-with-centos-77-free:wordpress-with-centos-77-free:1.2019.1008 –dns-name-label azmohlinux –ports 22

Create Windows Server core with IIS

az container create –resource-group mohazbackupgroup –name mohcontainer –os-type windows –image mcr.microsoft.com/windoervercore/centos –dns-name-label azmohlinux –ports 22ws/servercore/iis:nanoserver –dns-name-label azmohiis –ports 80

Here we go I got a machine ready (took about 5 mins)

azmohiis.westeurope.azurecontainer.io

To delete the container, you can write the following

az container delete –resource-group mohazbackupgroup –name mohcontainer

Stay tuned for more articles about Azure.

FreePBX, Linux, Skype for Business 2015

Resetting Root Password for FreePBX 14.0.5.1–Sangoma Linux 7

November 17, 2018 Mohammed Hamada 2 Comments

Many people have been through this same problem either due to forgetting the root password, typing it wrong or due to console language conversion issue.

Mine was due to using a remote console which didn’t translate my keyboard properly and caused a wrong password.

So I ended up having access to the GUI screen but not the root. So first thing came to my mind is should I reformat the machine and reinstall it since it doesn’t take long time? but no I like challenges and started digging into how do I reset the password.

Since I do still have the access to console I can try from the Kernel, the default ISO install FreePBX with Sangoma 7 Distro which is based on Centos Kernel 3.10.0-862.2.2.3 el7.x86_64.

So I first attempt I tried was following the same method of resetting root password on Centos through Kernel.

1- Restarting the machine to get into Kernel:

When Restarting Press E to edit the Kernel